23542300x8000000000000000166633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:42.061{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C8FD39FEE394D3AF46873AFC9033F6,SHA256=E8839F9EE4573EA0E3466789E39E7F4580C4F84CDE1CD0BE9CCE641F66D2CE69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:42.126{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:42.126{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:42.081{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A14F2E39F1BB4F0AEC9664EB37942E7,SHA256=D801753665C288D7353D23074EEC6A7C62AB449E13A78FD7AAD54FE48ED11584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:43.196{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC1E152712738BE536A9BD4203F4E09,SHA256=1FFFF9A691CF5FBB9311B6A767327E7B87EB1DEB3BA0D71936FC8E61FB41A8A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000268333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:41.607{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65371-false10.0.1.12-8000- 23542300x8000000000000000268332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:43.186{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668648B420CF38D598A1A1F22854C99C,SHA256=2530F518D2D878A5C5960CA5AB617FE1360AF313D4AA13DCDC724BF075BA2F42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:44.324{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323C919D185862B150B142337FE8BB64,SHA256=13BE5B37F36EE15ED441A7D2288ECEA1E9C40E61B0BE71E10958C9A0933BFDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:44.190{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECDCB440F1760CB1913C0B2783C482FB,SHA256=061707B1A84814F67E29811CE5E2070ACF8E453AD722E51292D815C759E63724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:45.856{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915073339-436MD5=57A72B0C760EE69AC7C248CEF41FB118,SHA256=5529770AAA6131055AA1DBB2FA9931466BD8A31C1B9F15EC8FC648797EB17FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:45.397{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFE3D996272E098E17FA0B21AFDFB7D,SHA256=D428F2F2CF2479A197B403AD50686E66B18EF291F5E0C0704CE1FD561F709D8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.750{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.749{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.326{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.316{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.310{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.304{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.298{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.295{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.293{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.291{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.285{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.250{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.228{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.212{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.205{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000268343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.198{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44ABB3E48539B2AD165C0911B7145EEE,SHA256=115C6D84A1D14B1F082FA1024C4A6CE8DED031742E800AA5EF66214EC74A6C1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.194{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.183{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.171{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.160{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.150{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.135{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.085{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:45.083{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000166640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:46.856{E743DC12-D551-6322-2100-000000007502}1544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915073337-437MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:46.428{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03662C02066DFD1E7EFEF7F344BD1116,SHA256=5ACDC6D1C5BF68C60D196C945DB5533D3C8957C09B60C8E3B8B438283448F7E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:46.228{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:46.228{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:46.207{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCE14A1A0275A3C1C21CC09F03D7CF1,SHA256=60439AD626CA4A299892EE13240A63A91407AED2E292F6E0ACA103D91F3297F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000166638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:43.074{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55272-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000166649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5B-6323-530F-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3E5B-6323-530F-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.788{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5B-6323-530F-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.789{E743DC12-3E5B-6323-530F-000000007502}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000166641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:47.488{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B078E93E32358B0FA517B318046BAF5A,SHA256=6797B2C9F4C4F9D7B5E48C93BBC8F2018E70DDF6DDFD469232788711C48FE49E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.760{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.759{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.754{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.752{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 734700x8000000000000000268371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.730{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000268370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.729{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000268369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.728{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000268368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.726{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000268367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.725{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000268366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.724{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000268365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.723{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-DD11-6322-8606-000000007402}5280C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.311{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0413446724640F8C23B668E23E93A607,SHA256=33C2A10922466BF5471E9F1F048F7EDE1B0D6241C8B4E1BB86D0EFE74BD2821A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.223{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:47.223{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.876{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52644FBF711868E5A7CA3EB6F05A7C46,SHA256=675294C7954499E5F2956E88ED74458DDD8EE350B26CF190692A62695D84BBC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.559{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E592E06A05A7BF757115248FBC6421D8,SHA256=999DB1BC14EF8782DD30270E995E5C3801290B5339FDFD641BA0648524DBDB9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.561{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E35-6323-2E18-000000007402}5964C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.556{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.550{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.542{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.524{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.522{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.519{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.515{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.512{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.511{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.506{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.502{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.497{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.489{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.485{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.485{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.484{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.483{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.471{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.470{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.468{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.467{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.458{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.457{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.455{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.452{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.450{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.449{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.448{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.444{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.442{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.434{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.432{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.406{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.404{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.385{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.376{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000268390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.324{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02BC908838D2A5287BB85FECDEC8BD9,SHA256=4BD8A2E7D1F30AFFA0F9A95E622C3330CB83EC73C835554A3AC50AED181DD1B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.322{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.313{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000166658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5C-6323-540F-000000007502}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3E5C-6323-540F-000000007502}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.458{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5C-6323-540F-000000007502}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.459{E743DC12-3E5C-6323-540F-000000007502}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000166650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.107{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7880516F27613A4FAC6026DA90772B2D,SHA256=7B0E0C224CB97F362C238EBECAA80920A81B0ED6BD3AF45A810602A5CB3D021C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.298{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.291{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.286{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.282{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.275{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.272{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.269{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.266{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.265{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.263{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.166{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:48.166{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:49.898{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBF20A40051FA941DA2159028D9A964,SHA256=8EB3B650C4B12B1EBF8F241FD1AF543D27A8692B28AA99BF1C2C34BBBD767B12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.635{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8443D530F22F2F6F768771C8ED2E77C,SHA256=3BE61AD89CC4D7F5D2E3F48176AEC58478F4BD30937D22715A0B28965DE6BB76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.615{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5D-6323-560F-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.612{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.612{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.612{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.612{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.612{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3E5D-6323-560F-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.611{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5D-6323-560F-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.609{E743DC12-3E5D-6323-560F-000000007502}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000166669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.345{E743DC12-3E5D-6323-550F-000000007502}32045372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5D-6323-550F-000000007502}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D54F-6322-0500-000000007502}4122540C:\Windows\system32\csrss.exe{E743DC12-3E5D-6323-550F-000000007502}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5D-6323-550F-000000007502}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:49.118{E743DC12-3E5D-6323-550F-000000007502}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000268428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:46.648{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65372-false10.0.1.12-8000- 10341000x8000000000000000166696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.947{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.945{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.944{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.944{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.944{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.944{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.943{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.942{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000166688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.692{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F8DBFE95119EB4EEE93B63BAD0A9B3,SHA256=1F6FB6437E73121BA303987C82BB864FFF722623330353D67F7D9108A4702C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:50.943{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BDE6E4C364B5ACAB1DC51533525EDA,SHA256=A1744F2180156057F1AD55EC737E68653B726745EF4083596CD198B68148576B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:50.570{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\10509MD5=49CE5DD294C29E99FF090FB09B4D7849,SHA256=027B3824A5C28FD780E868D98A65BB4FE955950205BFC3A413BB3F7C3BA95414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.450{E743DC12-3E5E-6323-570F-000000007502}27446024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5E-6323-570F-000000007502}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D54F-6322-0500-000000007502}412428C:\Windows\system32\csrss.exe{E743DC12-3E5E-6323-570F-000000007502}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.276{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5E-6323-570F-000000007502}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:50.277{E743DC12-3E5E-6323-570F-000000007502}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000268433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:51.947{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFF5EC721233B2A4A909C25FE218424,SHA256=6F6FC8342BB59FB81E1353FE6A2F87DDD4A85D286CF1027144A80D199EDDA7DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.769{E743DC12-3E5F-6323-590F-000000007502}45164476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.727{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF319868755610DF4F98BA4C9E4DE0A,SHA256=643C1477520F13F9B7F1DAFE80DB0E64BEC4CA44E7C39A5C123E2994565CB2B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D5CB-6322-A000-000000007502}36362012C:\Windows\system32\conhost.exe{E743DC12-3E5F-6323-590F-000000007502}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D54F-6322-0500-000000007502}4123876C:\Windows\system32\csrss.exe{E743DC12-3E5F-6323-590F-000000007502}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000166707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.611{E743DC12-D5CB-6322-9C00-000000007502}30762716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-3E5F-6323-590F-000000007502}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000166706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.612{E743DC12-3E5F-6323-590F-000000007502}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-D54F-6322-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000166705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.121{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000166704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.121{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000166703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.121{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000166702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.121{E743DC12-3E5E-6323-580F-000000007502}19203964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.120{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000166700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.120{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 10341000x8000000000000000166699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.120{E743DC12-DCF5-6322-7D03-000000007502}55365740C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-3E5E-6323-580F-000000007502}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D803D0) 23542300x8000000000000000166698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:51.088{E743DC12-D5CB-6322-9C00-000000007502}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=53A4F83D3F33BAF9DCCD8EEE18234202,SHA256=B335F32A80F78AA23591D9A99ABDE82E49B39594CF2329524DD4470820C377FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000166697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:48.094{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55273-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000268432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:51.861{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68C6C9B13FDAC014FED2B6560111236A,SHA256=F7C1CFE79DBA76549461C3591FF5EC3F5971FEF7AF1BE4BDD42EB08FCD7D705D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:52.772{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DDD1AAE9CAB78B47641DC954D85201,SHA256=43429B5E905F2A1DC17096224C7E4A8A514830514A5A41293049CA3FEFEA0605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:53.815{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623647E7D0367FEFB026F45908CA467D,SHA256=AF4BE43DA69FB60E418730DDEAD00357D6693FE1E273FE46ABFF67E001323A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:53.555{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1F60AD9A60609E6A62B9F2A4CB261735,SHA256=2EF57615119D6BC398F036A40B1270C6EC4A75F75E4E9EEE61CAD4E7B132495F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:53.051{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0030644727511236274142413BC45CCC,SHA256=EC4EFF13EA192178BB93ECF1B295246519CE8EC9F8D85814F4FBA91B75FED190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:54.850{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56B4E06C4A1EDB53B2998E72CA6369F,SHA256=92E50C12863428951767169BC579ED471B679687E88AD620947186D86D04594C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000268437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:52.479{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65373-false10.0.1.12-8000- 23542300x8000000000000000268436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:54.055{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77130F280E7C5700CCE519C2C89275E6,SHA256=CC9FC07502AD23B5CE328F6916CE332E9D2D2956F82B88436CEBCBD7FEE98C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:55.904{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27933122738A99EB521E15783FDA1E40,SHA256=FD30BF7E509A64A83CAF379A03A217D002EE12080B9F5AED1F3C84473BEE1B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:55.261{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E21A4F0B632FA4BE1BD534FED948B2,SHA256=4A7A8C84929A4FEDF593026F1E5DF76F9961678E7BC2337D9378AF70EA94F9A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:56.938{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D94BBAAE39F982912125613B278A855,SHA256=6AED897158D5E349E1A6DBAC9F7F59E5B0CCB5465943ABF00B6433CFE274B89D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:56.727{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:56.727{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:56.266{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F5497938AC457FEFE9BE2BEF9F3D45,SHA256=3A7524392F11342B7E6D9B430CB8B719CAECB293FA33C794B4673C6669571350,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:57.272{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A360FE51037BA5EE533B857C9281FEA2,SHA256=E3322AE284DB6FA8F0C2EB6C422153296D7A26F9330CA0844698D01267977D5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.997{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1000-000000007502}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.993{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0F00-000000007502}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.985{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0E00-000000007502}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.976{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-0D00-000000007502}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.968{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.959{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000166723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.958{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5706BF45635FF6B75B217532907A0C,SHA256=A7C61C998C1B84CAD7B8F084882049149F47B999F25E286B59B5E3894DDFB601,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:57.957{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 354300x8000000000000000166721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:53.883{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55274-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000166774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.984{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EE724C3B02319C39FA7CE2E16AFF46,SHA256=B73028EF3D1614DA1844EE505834F0CEB32477E2478058BA94B57ED9D988DC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:58.576{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439434D7EED0365C72B5C7EFF0DEC503,SHA256=4E65FF3480A87BCCB6F24FFAC4E87ED59429FB146714075F9E98D2E86797D05E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.525{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BEBF5AB6B2D7857F5C12EE07C23559,SHA256=93AD2FDF9ECC78AC25AE01EF58363354476FED673398BA11F9143676E4CFCF8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.280{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.277{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.274{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.272{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.270{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.259{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.258{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.258{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.255{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.252{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.248{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.246{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.237{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.235{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.216{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.204{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.195{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.168{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.151{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.130{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.126{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.124{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.123{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.118{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.113{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.109{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.108{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.105{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.103{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.102{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.098{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.093{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.091{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.087{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.081{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1800-000000007502}1772C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.079{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1700-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.062{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1600-000000007502}1204C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.053{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1500-000000007502}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.030{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1400-000000007502}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.024{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1300-000000007502}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.018{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1200-000000007502}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 10341000x8000000000000000166730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:58.008{E743DC12-DCF5-6322-7D03-000000007502}55365788C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D550-6322-1100-000000007502}992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E850) 23542300x8000000000000000268444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:59.581{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA7A432516109C8B184FF60C866721F,SHA256=1960F037CFE18CB86F507C1055580487341661B0534E88E26E037070EAA83D1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:00.687{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F5DEE487DDC83D9D6E8D5DC4F1AD0C,SHA256=463C8AABCCA7605A3D5E8FD24E3ED910BB7765B96525499CABC1DD16BE7BD2D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:00.047{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E86B84359B804637BAFCD53AAF7FE5,SHA256=2E39D6275F84A548DAEBF1C023226CCA6A8173D72E697BA5C38FEF167156EFD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000268445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:01:57.565{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65374-false10.0.1.12-8000- 23542300x8000000000000000268447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:01.691{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91B0517332AC7F77343715A4E2514F5,SHA256=220FA3FA791595616720C2B1B08F91940F7C581A00FBF4F756F1397A9E2F7ACE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-D550-6322-1E00-000000007502}2016C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.349{E743DC12-D550-6322-0D00-000000007502}784816C:\Windows\system32\svchost.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.212{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.212{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000166777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:01:59.013{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55275-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000166776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:01.133{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A8ECF70D2CFAD353D1844F43110001,SHA256=5F982A56CB3C9B8C3173E85B2BF600B5CC1B716640962AC422275BE69209771F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:02.695{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F3C50ACA331CFAF63F194A9665DB7D,SHA256=CDE0DE4D2CAFA816341A59DB272EA1C8FCC8DED11DEE22676E4333D0792D7150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:02.394{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4C821004C97D7DA48A6F9D5DACEA17,SHA256=319768F1D0E4C6576FF8DFF8F6688B7B04528AE9E99A918196DBA80DAFFE5048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:03.799{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90CF41601423448ACC354E822D7F157,SHA256=3C64FC86A9CAF240F0AA8DE423E66EEDEA5ACDABCCB10D0868101F589A02D197,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:03.453{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74724E275E6626E9428B31B1271FAC94,SHA256=B2E313E8029E704815F416C482E00091CF11581A90C6BDBF042A92DEBD4AB644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:04.805{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C5A7AE52E35DEC8EA98C56458543F2,SHA256=F5496795C34E41711E187A2B3303078035479531264ECAF067E226F9B2237DC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:04.598{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:04.598{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:04.540{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060B7F6966F10DEA994F30CE57FEDC04,SHA256=BD88AC1013D760FCE1D43466B41A7AE82FD04683A05599AF31450B4B185D1E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:04.521{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915072347-446MD5=96AB8F64BF2AC136AED6AF93044367C6,SHA256=C69AF607FFAD8A58E9D06304002D074829E49F688F7A3044AC59DFA0FD29BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000268453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:02.710{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65376-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000268452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:02.710{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local65376-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000268451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:02.665{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65375-false10.0.1.12-8000- 23542300x8000000000000000268450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:04.313{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=577DFF92D767EE99141328B57F51113E,SHA256=C191CF7F3D99267B9C9F3757057D8507C20584917269FBAB45358588F3C86C92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.921{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE35389BD295B7242C5C91D622F300EC,SHA256=220DE603808A1684D55A4CC3DCDBA465C363D7E12453F84AB42AF52EF0761E45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.878{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=DA516B36F0631520290B2BAD8E47B7CC,SHA256=D6094A9A2111B56746596DF9FFE0BBD1613A3D18DDDCBF28052E2806D7BEE57F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:05.600{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B178B962B58435AF610263398FE57B,SHA256=CE3F3F21B5BD041FB03140D87424BC77F879E0A0EE38AE2875CE843DE4319715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.721{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2400-000000007402}2612C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.713{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2300-000000007402}2604C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000268477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.520{6820D070-D301-6322-2600-000000007402}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915072345-447MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.292{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2200-000000007402}2588C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.283{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2100-000000007402}2504C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.267{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2000-000000007402}2468C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.264{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1F00-000000007402}2460C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.256{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-1E00-000000007402}2380C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.251{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F9-6322-1C00-000000007402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.250{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F1-6322-1A00-000000007402}1820C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.248{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1700-000000007402}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.240{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1600-000000007402}1276C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.212{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1500-000000007402}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.195{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1400-000000007402}1088C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.190{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1300-000000007402}1028C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.180{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1200-000000007402}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.173{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1100-000000007402}496C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.154{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-1000-000000007402}108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.131{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0F00-000000007402}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.125{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0E00-000000007402}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.114{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2F0-6322-0D00-000000007402}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.106{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EF-6322-0C00-000000007402}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.071{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0B00-000000007402}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:05.065{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D2EE-6322-0900-000000007402}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000166821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:06.644{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13E8292BC33AFF683780E41FF0549BA,SHA256=4F7D1B5BBA16A8C2643FD9CB1D21155CC94D1C7FECAE0DC7F9E17C1B7FF8D1B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000166820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:04.103{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55276-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000166819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:06.277{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000166818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:06.276{E743DC12-DCE7-6322-6C03-000000007502}13404132C:\Windows\Explorer.EXE{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80297057CD8)|UNKNOWN(FFFFCE42F09B7E08)|UNKNOWN(FFFFCE42F09B7F87)|UNKNOWN(FFFFCE42F09B2611)|UNKNOWN(FFFFCE42F09B3FDA)|UNKNOWN(FFFFCE42F09B2296)|UNKNOWN(FFFFF80296D6D503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:06.276{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF19aa83c.TMPMD5=39D11997735CDFDAB7051AB86B8F82E9,SHA256=34F34B56FDEF9CE630B3344FE748DFBC186169F1CA2CC69FB9A6920D5DE026AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:07.703{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895765D3C2850A7EE4618934F5C99080,SHA256=2B13E5AF295A9B6BBAF410C065857027B80D714ADD4A963E1F28842ADBF53A99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:07.734{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D302-6322-2E00-000000007402}3148C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:07.733{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2A00-000000007402}2972C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:07.727{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:07.725{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D301-6322-2600-000000007402}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000268482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:07.124{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8995E0E999CB556EF777868218E6E13,SHA256=A47E06D0BA8BC56D882139EA294626A985FA056AC5F6E07C892FBB0BD0267202,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000166823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:07.355{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:07.355{E743DC12-D54F-6322-0C00-000000007502}7282640C:\Windows\system32\svchost.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000166828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:08.885{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\SiteSecurityServiceState-1.txt2022-09-15 15:02:08.884 23542300x8000000000000000166827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:08.885{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000166826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:08.884{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\SiteSecurityServiceState-1.txt2022-09-15 15:02:08.884 23542300x8000000000000000166825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:08.768{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8411A2BFB5318545A0D6D407A08BF3F,SHA256=92357660AAF9A195FD646B135A229967BA07CC402150B0AA012C8F2CBDF62502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.650{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E35-6323-2E18-000000007402}5964C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.647{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DBE-6323-1D18-000000007402}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.641{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA7-6323-1C18-000000007402}4008C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.640{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1B18-000000007402}5688C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.606{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3DA5-6323-1A18-000000007402}3300C:\Users\Administrator\Downloads\Rnwood.Smtp4dev.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.602{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF8-6323-C717-000000007402}4032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.594{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C217-000000007402}7756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.588{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3AF5-6323-C117-000000007402}5168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.579{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-389D-6323-6517-000000007402}6948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.574{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-387E-6323-6117-000000007402}7016c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.562{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5317-000000007402}7936C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.557{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3847-6323-5217-000000007402}7816C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.551{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3449-6323-CC16-000000007402}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.546{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-31A2-6323-6D16-000000007402}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.539{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-30CB-6323-4416-000000007402}4776C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.534{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4515-000000007402}6852C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.529{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-298C-6323-4415-000000007402}5028C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.527{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-28AF-6323-1115-000000007402}8108C:\Windows\System32\win32calc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.504{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.502{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1A51-6323-3F13-000000007402}8008C:\Windows\regedit.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.499{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1074-6323-360D-000000007402}4756C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.485{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1073-6323-310D-000000007402}6776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.465{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-1000-6323-FA0C-000000007402}5800C:\Windows\system32\ServerManager.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.463{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C1-6323-AF0B-000000007402}3832C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.460{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-05C0-6323-AE0B-000000007402}5808C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.449{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F6FD-6322-E009-000000007402}4320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.445{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F4A3-6322-9009-000000007402}4632C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.443{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4309-000000007402}6856C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.443{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-F22E-6322-4209-000000007402}7160C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.438{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F208-000000007402}1892C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.434{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF3-6322-F108-000000007402}7116C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.423{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EF08-000000007402}6736C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.421{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF2-6322-EE08-000000007402}6040C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.380{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.379{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-EE58-6322-B808-000000007402}4192C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.355{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD13-6322-8906-000000007402}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.340{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD12-6322-8806-000000007402}5576C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.288{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD04-6322-7906-000000007402}2656C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.277{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD03-6322-6D06-000000007402}712C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.266{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD02-6322-6A06-000000007402}3848C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.261{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD01-6322-6106-000000007402}2960C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.255{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-DD00-6322-5F06-000000007402}4712C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.253{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D37B-6322-F300-000000007402}3808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.247{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D366-6322-ED00-000000007402}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.245{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.244{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A700-000000007402}4100C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.240{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.239{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3E00-000000007402}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 10341000x8000000000000000268488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.237{6820D070-DD11-6322-8606-000000007402}52805624C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-D303-6322-3A00-000000007402}3548C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000014C28190) 23542300x8000000000000000268487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.230{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCA36A03C3BFB16F6FD34289D75271A,SHA256=781A81B74B930F1BE70A2237B5BA24679D499FA907FAF5704345F4EFD8855FAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:09.812{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA3838C5558F12FE7EBB7040C283782,SHA256=99C362209D6F81E8F14E681B0B4AE223392C55F8B40C4264EECB890B4D7ABD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:09.520{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845D215BA9CD155BD846BA69211B3992,SHA256=6DAA017C45F498D8EB35BFFE36FA454AB64B229EFE3AD00CCE4D8A5D45D5388D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:10.871{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D04765031FD72B0A8AAC57D5535EF4,SHA256=B71C6D42AC4BFFC3628056BAA01F0969E6159BFE9DC04D381E8E6B76EAB9E22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:10.556{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98539130331A241E1C2B212FADAD8C89,SHA256=BDC38B1429171D384206CFD1DE5BA7C8B66C3FA44CFD5196157E548EE892E0EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000268538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:08.575{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65377-false10.0.1.12-8000- 23542300x8000000000000000268540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:11.561{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69743583EF66508B846644A45F054A0F,SHA256=011BDD19FE07FE4279B138095EE456C8423D88A3F94CB51675B78C78CCDD7B49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:11.916{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7444BAA958FBD2C243DE657D6751E5D,SHA256=288544408DAE2DC517F30374FAD2CE016096C17735FA8A45925058D3564AE594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:12.960{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9AAED3D03A02FEA050AC63D2D3233D,SHA256=0522385CCED1B8F5D467A0E29B01719C7B831A6362C5CC585BB5D99644F515B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:12.770{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD987B11347F47D36517A66DAF4F3DE6,SHA256=49DA59E31C0C2A03F70805BA94CD1BE8EE9A18B8196FB15415E30B1E4D97AC00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000166832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:09.874{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal55277-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000268547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.877{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF7EBE4F7ADFBAF26F8D19E690A4145,SHA256=26F0CF394EA034D7C0CDDCA8FB55FDA2D33F4A1AFBA35D04BBE353A14F523414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:13.920{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=EFE23DFD59E556640E96E406FF97D213,SHA256=C32ECAB6F3368CE1E57BA8262CB72B12AA6ED965AFDA996015BAC1E8BE75A54B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000268546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.483{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.479{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.479{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.440{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:13.440{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000268548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:14.980{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24E18049B2BF6F9E257A56323F389A3,SHA256=EFACAF5A55D9B563DE0184FC85316ABC715B28FFB42DA1D5FBC1A5DB1F5F0B56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:14.045{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16146B13E49D7FE469227D5B1CB6B8AA,SHA256=4FB8F95897F423D4F70A481EE7C7A4765829FA4957D92BB1EDAD344CA291EE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000166836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:15.084{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F192C43A1F3431852166F3AD27E948B7,SHA256=16AFEE1EE15D64E93F708459E99814CC6BD46E78402D9449E0813447704F98BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.769{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64520A1AB422D8508C477BC3F5CD4099,SHA256=59BE87647D1495A7C816019A70974197BD97AD282EB6E5F021BE5FF5E8FB414C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000268665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.760{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txt2022-09-15 15:02:15.759 23542300x8000000000000000268664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.760{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000268663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.760{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txt2022-09-15 15:02:15.759 10341000x8000000000000000268662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.744{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017AB1B4B)|UNKNOWN(00000000011294EF)|UNKNOWN(0000000001129496)|UNKNOWN(00000000011293EA)|UNKNOWN(0000000001129313)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 734700x8000000000000000268661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.738{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll2.0.50727.8745 (WinRel.050727-8700)WMINet_Utils.dllMicrosoft® .NET FrameworkMicrosoft CorporationWMINet_Utils.dllMD5=FE3A877218F498F90DD1D097FB770BFA,SHA256=7B7AB5348E3143DB00D0FCE36E5A75867046B5C60FC52DC9E0A166CA2FDF714E,IMPHASH=422758B458E7A457D744549F961156CCtrueMicrosoft CorporationValid 734700x8000000000000000268660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.651{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.650{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.650{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000268657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.630{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE6C59BBF1F6EEFF612BECE849CCEB2,SHA256=4FE3F87D7E86B5A85AA3562FD241932AB58C08A8E59C55D2A27D7849F8AEA73E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000268656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.626{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000268655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.625{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000268654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.625{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000268653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.610{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.5246 (rs1_release.220701-1744)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=2A16D108FE99577ABCC08B92F2765971,SHA256=AF5268F39CE35FA3215E8162A0BF4C1949D0F5FB7A284953362ED23507C5697F,IMPHASH=36E120EA05F8714D20693A7DA02D7326trueMicrosoft WindowsValid 734700x8000000000000000268652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.606{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000268651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.604{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000268650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.601{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000268649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.600{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000268648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.598{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2F,IMPHASH=844732D10340F10C1E97778BA10CF30EtrueMicrosoft WindowsValid 734700x8000000000000000268647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.598{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000268646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.597{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000268645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.597{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000268644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.597{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 734700x8000000000000000268643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.595{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 10341000x8000000000000000268642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.592{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.588{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587B,IMPHASH=34AF29CE553D01A9CE643682A40D7CB5trueMicrosoft WindowsValid 734700x8000000000000000268640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.588{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040C,IMPHASH=789B4484C292CAC32E0806DEE3E8734AtrueMicrosoft WindowsValid 734700x8000000000000000268639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.586{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 11241100x8000000000000000268638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.488{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 15:02:15.487 23542300x8000000000000000268637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.488{6820D070-EFF0-6322-ED08-000000007402}4396ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000268636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.487{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 15:02:15.487 10341000x8000000000000000268635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.483{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.471{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.470{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.470{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.464{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.462{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.462{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.456{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.453{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.453{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.446{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll8.0.50727.8745 (WinRel.050727-8700)Dia based SymReaderMicrosoft® Visual Studio® 2005Microsoft Corporationdiasymreader.dllMD5=7D6A7AD508368F8A41E19A593BF8152A,SHA256=9385717A62043C46A22A99893139475ACB44C0096DDE9954C9BDED721F4581A2,IMPHASH=E2ADD10FCF5C120524D6149FB9E129DEtrueMicrosoft CorporationValid 734700x8000000000000000268624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.365{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationmscorjit.dllMD5=942A0FD4301180517656DF2D7DF45574,SHA256=B9648A085BD060F253D28351E5FED798CE5893B69FA4E221D44C99F460D05936,IMPHASH=458AE5B7483D2B3344CEEB01EB67E386trueMicrosoft CorporationValid 10341000x8000000000000000268623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.362{6820D070-D2F0-6322-1500-000000007402}12522024C:\Windows\system32\svchost.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.362{6820D070-D2F0-6322-1500-000000007402}12521316C:\Windows\system32\svchost.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.362{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000268620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.359{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 10341000x8000000000000000268619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.340{6820D070-27DD-6323-F614-000000007402}65044588C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001301360A)|UNKNOWN(000000001AAAFDB2)|UNKNOWN(000000000343334C)|UNKNOWN(000000001AB3F017)|UNKNOWN(000000001AFF8399)|UNKNOWN(000000001AFF81F1)|UNKNOWN(000000001AFF81A9)|UNKNOWN(000000001AFF804A)|UNKNOWN(000000001AFF7EA6)|UNKNOWN(000000001AFF7CBB)|UNKNOWN(000000001AFF7B64)|UNKNOWN(000000001AFF7577)|UNKNOWN(000000001AB6832F) 10341000x8000000000000000268618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.339{6820D070-27DD-6323-F614-000000007402}65046344C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001335D74A)|UNKNOWN(00000000009BA9C6)|UNKNOWN(00000000009BA6D5)|UNKNOWN(00000000009BA13B)|UNKNOWN(00000000009BA0BD)|UNKNOWN(00000000034BE579)|UNKNOWN(000000000354671F)|UNKNOWN(00000000009E816D)|UNKNOWN(000000000D7DD087)|UNKNOWN(0000000003542CCE)|UNKNOWN(000000000D7D69E5)|UNKNOWN(000000000333A6E5)|UNKNOWN(000000000333A62A)|UNKNOWN(000000001AFF804A) 734700x8000000000000000268617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.334{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.330{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Globalization SupportMicrosoft® .NET FrameworkMicrosoft Corporationculture.dllMD5=22E9113EA0D1D8252314F23BAD16DD36,SHA256=A731E05FCFCE0B9FCF449DFB589A49C09FC63593D61676F5EE3977CBD47C64A9,IMPHASH=104E17C81D918D1C093DA532DC4F4DBEtrueMicrosoft CorporationValid 734700x8000000000000000268615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.330{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.330{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.322{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000268612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.322{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000268611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.321{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000268610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.321{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B05DBB473918152F51A7F5A10FE250C7,SHA256=85EA95E8D8B1123288E84E5DC8502584288D67B2C692B118411F37774479498B,IMPHASH=A7A8E1C7D8A348EDDDA81702A2FEC068trueMicrosoft WindowsValid 734700x8000000000000000268609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.321{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000268608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.320{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=65BF71AD92E68AC9BCDFA13C5FF0959D,SHA256=14FDD181EF550EAE500F4B617877BD2DC04827704704A56DCF30446AEEA2882A,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 10341000x8000000000000000268607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.315{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(0000000001140472)|UNKNOWN(000000000844DDC1)|UNKNOWN(000000000844E42A)|UNKNOWN(00000000132F5640)|UNKNOWN(00000000009B6AC8)|UNKNOWN(00000000009B68B6)|UNKNOWN(000000001301BB1E)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE) 10341000x8000000000000000268606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.314{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(00000000009B6AC8)|UNKNOWN(00000000009B68B6)|UNKNOWN(000000001301BB1E)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08) 10341000x8000000000000000268605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.302{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(0000000001140472)|UNKNOWN(000000000844DDC1)|UNKNOWN(000000000844E42A)|UNKNOWN(000000001301C500)|UNKNOWN(00000000009B4B8E)|UNKNOWN(000000001301BA6A)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08) 10341000x8000000000000000268604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.302{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(00000000009B4B8E)|UNKNOWN(000000001301BA6A)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000268603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.302{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001301C1EA)|UNKNOWN(00000000009B4C5C)|UNKNOWN(00000000009B4B6D)|UNKNOWN(000000001301BA6A)|UNKNOWN(00000000009B4B0C)|UNKNOWN(00000000009B21BF)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 10341000x8000000000000000268602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.302{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(0000000001140472)|UNKNOWN(000000000844DDC1)|UNKNOWN(00000000009B359E)|UNKNOWN(00000000009B2AC8)|UNKNOWN(00000000009B2566)|UNKNOWN(000000001301213F)|UNKNOWN(00000000009B1F77)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000268601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.289{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000130140AF)|UNKNOWN(00000000011234C4)|UNKNOWN(00000000011233F4)|UNKNOWN(00000000011233CB)|UNKNOWN(00000000009B2566)|UNKNOWN(000000001301213F)|UNKNOWN(00000000009B1F77)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 10341000x8000000000000000268600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.289{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001301360A)|UNKNOWN(00000000009B2520)|UNKNOWN(000000001301213F)|UNKNOWN(00000000009B1F77)|UNKNOWN(000000000116F99F)|UNKNOWN(000000000116F91B)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+4660a(wow64) 10341000x8000000000000000268599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.289{6820D070-27DD-6323-F614-000000007402}65046344C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(0000000013010C9F)|UNKNOWN(00000000034BE48C)|UNKNOWN(000000000354671F)|UNKNOWN(00000000009E816D)|UNKNOWN(000000000D7DD087)|UNKNOWN(0000000003542CCE)|UNKNOWN(000000000D7D69E5)|UNKNOWN(000000000333A6E5)|UNKNOWN(000000000333A62A)|UNKNOWN(000000001AFF804A)|UNKNOWN(00000000035B45C5)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+4660a(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+900db(wow64) 10341000x8000000000000000268598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.286{6820D070-27DD-6323-F614-000000007402}65041056C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64) 10341000x8000000000000000268597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.285{6820D070-27DD-6323-F614-000000007402}65041056C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000268596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.285{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationcordacwks.dllMD5=0ACFE06D73EFBCAFACF72A22F7D79E91,SHA256=525591629E48EC84FE78DBC621AE91536E7039B50593B60AD6B3801B1F91EB5A,IMPHASH=F0FBF635B7EFD828980AA6937580AF82trueMicrosoft CorporationValid 10341000x8000000000000000268595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.284{6820D070-27DD-6323-F614-000000007402}65041056C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000268594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.284{6820D070-27DD-6323-F614-000000007402}65041056C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000268593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.281{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_d08e1538442a243e\msvcr80.dll8.00.50727.9268Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMSVCR80.DLLMD5=26A95438C2D0E0C41B73D19400F4C2DB,SHA256=CC97DCB66E3150CD14294D21AD0E10C7472DF45CAF37E49675A70ED406882BE2,IMPHASH=7FECBC4A16A5DC85A5394A1DF6217680trueMicrosoft WindowsValid 734700x8000000000000000268592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.280{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationmscorwks.dllMD5=25CEE067AED86FF988C8D31BD7212A21,SHA256=3E0987EFC92F4BCD2798934A70BBEDCADB37899B4F6225279F3685A0DB5BB2F8,IMPHASH=C8D17502D1A38C77CC8770F7291FD333trueMicrosoft CorporationValid 734700x8000000000000000268591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.279{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x8000000000000000268590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.278{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000268589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.277{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000268588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.276{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000268587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.275{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000268586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.275{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=8B516F883167509677B58B9984D8EEA2,SHA256=47F9B88E4038517FC8C5FEB3AC04B21A885EE505143952C96A23FE851869A90E,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000268585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.275{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000268584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.274{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000268583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.273{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=9629C30BA0F10D72FD189FCA987B0E29,SHA256=4DDAF3BB8CE239A8AD41F333AE7D2AD6B7763B9ED8B862695B67F60E5ADE031C,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000268582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.273{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6CE01AB1C2063B171AD7432B130FEBBD,SHA256=F554E9818C54F6C760C6E53BAEABCA3F5CAD683C028460307F3D93C7A8B06F02,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000268581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.272{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120,IMPHASH=25F1E57C7A6ED06AAF329CB7B168FA29trueMicrosoft CorporationValid 734700x8000000000000000268580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.271{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000268579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.270{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000268578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.270{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=1B90C58145F4B3C0743C470793469AD6,SHA256=21D752964E10DBB4DFC589856AA808D31E301B93C9E5FF6D1655D32FBD00AF44,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000268577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.270{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000268576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.270{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000268575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.269{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000268574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.269{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7,IMPHASH=8B861EA72FDD6FC722328B2746B13380trueMicrosoft WindowsValid 734700x8000000000000000268573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.266{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=25ADC994F9AF8716E35487995DDB45CE,SHA256=47B573E7708AAA00F2BE6E8EB7F3CB1B4817E65FACBBB1D772970A8F710DAF61,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 734700x8000000000000000268572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.266{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000268571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.265{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77,IMPHASH=900F88A34CE398C54C9022F5335E8EA9trueMicrosoft WindowsValid 734700x8000000000000000268570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.265{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000268569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.264{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000268568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.264{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000268567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.264{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000268566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.264{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000268565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.264{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000268564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.263{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000268563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.263{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=B04953E4C38042AD2628FA49AB42AB5C,SHA256=7B2B4662D3EE0D6DD673C0FEEE4B28E2E16ABF534DF3076497C6B6B40E8BE9C1,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.263{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.262{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exeMD5=CE35C7E6BD64F72A5BF8C8459A8EA05C,SHA256=9C476C5E9FD2D46E52B9221A5CCA1DD4C768516740019D8DE59C47424869C522,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x8000000000000000268560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.262{6820D070-27DD-6323-F614-000000007402}65047148C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+f6f0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+eb46(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a9a1(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000268559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.262{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.262{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.261{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.261{6820D070-D2EF-6322-0C00-000000007402}8485728C:\Windows\system32\svchost.exe{6820D070-D301-6322-2800-000000007402}2684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.261{6820D070-DD00-6322-5E06-000000007402}34204672C:\Windows\system32\csrss.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000268554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.261{6820D070-27DD-6323-F614-000000007402}65047148C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a871(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a937(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000268553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.260{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exe"C:\Temp\agent_tesla-deob.exe"C:\Temp\ATTACKRANGE\Administrator{6820D070-DD02-6322-1C5A-600000000000}0x605a1c2HighMD5=CE35C7E6BD64F72A5BF8C8459A8EA05C,SHA256=9C476C5E9FD2D46E52B9221A5CCA1DD4C768516740019D8DE59C47424869C522,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000268552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.260{6820D070-D2F0-6322-1200-000000007402}965740C:\Windows\System32\svchost.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.256{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.256{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:15.256{6820D070-DD04-6322-7906-000000007402}26563664C:\Windows\Explorer.EXE{6820D070-27DD-6323-F614-000000007402}6504C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000166837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:16.130{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC57FE28305A8416A01E0DFF9ABF6592,SHA256=4C12A1CF7A69E26D8EA56AF4A6C559239BE75C220C03E693138D68479A6F7997,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000268685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.945{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.5192 (rs1_release.220610-1622)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=C3EAC9E7B604696B078D4275571F58EC,SHA256=8A1F5F88F70C1BD511AE7D0E03D6ABAE1778D59D10041D17B562FE9190559A0A,IMPHASH=E5E8B16505186AC32311EE602EA3C845trueMicrosoft WindowsValid 734700x8000000000000000268684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.944{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\vaultcli.dll10.0.14393.5066 (rs1_release.220401-1841)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=0F9CC4F83FDD30CA09546038D0C1500F,SHA256=754954935A1BB01C0695252B16EDF251F7FF2D66BFB00450CF038D0AA079B844,IMPHASH=8721D7F174531C1C4F8942462C87C899trueMicrosoft WindowsValid 734700x8000000000000000268683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.923{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.922{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.921{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000268680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.818{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shfolder.dll10.0.14393.0 (rs1_release.160715-1616)Shell Folder ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationshfolder.dllMD5=83D8A4E04F99C5FD749D34CC4B970A0E,SHA256=0924F96973B3CE4F15BB7947E6C593B3EA1015E459BF70C3A247A31632EF2ACA,IMPHASH=A262E121DDB8823B3F2D530403B9D7E9trueMicrosoft WindowsValid 10341000x8000000000000000268679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.805{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.804{6820D070-D2EE-6322-0B00-000000007402}6282720C:\Windows\system32\lsass.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.779{6820D070-27DD-6323-F614-000000007402}65047052C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017AB1B4B)|UNKNOWN(00000000011294EF)|UNKNOWN(0000000001129496)|UNKNOWN(00000000011293EA)|UNKNOWN(0000000001129313)|UNKNOWN(0000000009479025)|UNKNOWN(0000000009478ACE)|UNKNOWN(0000000009478A08)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64) 354300x8000000000000000268676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:14.480{6820D070-D360-6322-D400-000000007402}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65378-false10.0.1.12-8000- 23542300x8000000000000000268675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.274{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1BB1929A0D2C92D6FD38F71FB52DB7E,SHA256=BBAF3DDE0782C1A6995B1BD3DCB24A464C73A232E316C904579994E666005DDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.146{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F31C21A6DE86CBBDF8E66DFF43E0F7C1,SHA256=8C875D62AD8AAE3A76252EC203CC9EC9BCB19CFE9F8C93211D69C3CC6C3E8F24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.122{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3BE95F4D916662566F0E83E95D358C,SHA256=4410BF9A2793289DC81A867F9049BF7B71B66FAF4C9596EBD82B58F74DF0459C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000268672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.115{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000268671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.115{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000268670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.114{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000268669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.113{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000268668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.113{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000268667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.113{6820D070-DD11-6322-8606-000000007402}52805380C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-3E77-6323-3618-000000007402}5052C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013039390) 10341000x8000000000000000166841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:17.991{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0C00-000000007502}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:17.977{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0B00-000000007502}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 10341000x8000000000000000166839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:17.974{E743DC12-DCF5-6322-7D03-000000007502}55365776C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D54F-6322-0900-000000007502}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C9E3D0) 23542300x8000000000000000166838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:17.189{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743DAAF08DE633FE12571CB36254E944,SHA256=AFC813E04E5924D24EF2B874DE98CA66FCE1446BA0ED7733EA258F65F6B1694A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000268687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:17.899{6820D070-D358-6322-A300-000000007402}1560NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000268686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:17.133{6820D070-D366-6322-ED00-000000007402}4600NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4D51EA79FE71B4A766FA8B819A6A0E,SHA256=1FCFE91012135517376E4AB85212D9550AB18258FC68C26E633871E691883231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000166891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.935{E743DC12-DD29-6322-9303-000000007502}5012WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\oka5g0ws.default-release\datareporting\glean\db\data.safe.binMD5=AB4128D5D47843824FAFD1E5A64457D5,SHA256=B0D877932E28876DD0B49F44D3BFD42290A8829F2F1A284DF11E2D983B98BB68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.344{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-25A4-6323-720C-000000007502}4608C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.341{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0106-000000007502}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.339{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-0006-000000007502}5588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.337{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-EF09-6322-FF05-000000007502}4380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.335{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E657-6322-E804-000000007502}1240C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.325{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-E23D-6322-6604-000000007502}4992C:\Temp\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.324{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DC03-000000007502}4320C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.324{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DF09-6322-DB03-000000007502}4168C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.321{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2D-6322-9B03-000000007502}928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.318{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9903-000000007502}5516C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.315{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2C-6322-9803-000000007502}4836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.313{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9703-000000007502}1064C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.306{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9503-000000007502}5948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.304{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD2B-6322-9403-000000007502}3468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.287{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DD29-6322-9303-000000007502}5012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.276{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEF-6322-7B03-000000007502}5044C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 23542300x8000000000000000166874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.273{E743DC12-D5D9-6322-E600-000000007502}3188NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6E8857E6A84774C8B989336F42DB3A,SHA256=68E8FB8D81EFAB609C7DA50F494F6F9A977FCB747D04ECFEE6E905592FC06FE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000166873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.267{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCEE-6322-7A03-000000007502}4904C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.247{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE7-6322-6C03-000000007502}1340C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.241{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-6203-000000007502}4000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.231{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE6-6322-5F03-000000007502}3472C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.226{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE4-6322-5A03-000000007502}3724C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.225{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-DCE3-6322-5803-000000007502}960C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.223{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D9-6322-E600-000000007502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.219{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5D3-6322-CD00-000000007502}3680C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.214{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-A000-000000007502}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.211{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9C00-000000007502}3076C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.208{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D5CB-6322-9700-000000007502}1160C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.207{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3900-000000007502}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.205{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D553-6322-3500-000000007502}1784C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.204{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2400-000000007502}2528C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.202{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2300-000000007502}2300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.198{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2100-000000007502}1544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.194{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-2000-000000007502}1196C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000166856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 15:02:18.191{E743DC12-DCF5-6322-7D03-000000007502}55365756C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-D551-6322-1F00-000000007502}1092C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D86190) 10341000x8000000000000000268742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.555{6820D070-3E7A-6323-3718-000000007402}79242820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-D358-6322-A300-000000007402}1560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000268741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.555{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000268740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.554{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000268739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.027{6820D070-EFF0-6322-ED08-000000007402}4396C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local65379-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000268738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.015{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local50644- 354300x8000000000000000268737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:16.012{6820D070-D301-6322-2200-000000007402}2588C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local52136- 734700x8000000000000000268736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.352{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000268735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.351{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000268734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.350{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000268733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.349{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000268732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.348{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000268731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.347{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000268730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.347{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000268729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.347{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000268728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.346{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000268727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.340{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000268726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000268725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000268724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000268723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000268722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000268721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000268720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.339{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000268719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.338{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000268718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.338{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000268717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.338{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000268716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.338{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000268715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.338{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000268714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.337{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000268713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.337{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000268712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.337{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000268711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.337{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000268710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.336{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000268709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.336{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000268708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.336{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000268707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.335{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000268706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.335{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000268705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.335{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000268704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.334{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000268703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.334{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000268702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.334{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000268701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.334{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000268700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 15:02:18.333{6820D070-D358-6322-A700-000000007402}41004156C:\Windows\system32\conhost.exe{6820D070-3E7A-6323-3718-000000007402}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\Conhos